Community discussions

MikroTik App
 
Pada
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

[SOLVED] WAN bridging/NAT depending on VLAN ID

Mon Dec 14, 2009 10:55 pm

Is it possible to NAT & bridge on the same Ethernet (WAN) interface by using different VLAN's?

See the attached image for my network setup that I want.

I currently have VLAN 1 bridged with my local Ethernet ports (in a NAT configuration) on my RB750G with RouterOS 4.3. How would I go about to let VLAN 2 be bridged with my Ethernet (WAN) interface such that all the devices on VLAN 2 would automatically get unique WAN IP addresses from a DHCP server (that I don't own/manage) on the WAN connection. The WAN connection shouldn't have any VLAN tags.
You do not have the required permissions to view the files attached to this post.
Last edited by Pada on Tue Dec 15, 2009 7:59 pm, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: WAN bridging/NAT depending on VLAN ID

Tue Dec 15, 2009 1:50 am

please, show different VLANs with different lines, I don't unterstand your picture %)

p.s. different interfaces too
 
Pada
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: WAN bridging/NAT depending on VLAN ID

Tue Dec 15, 2009 3:09 am

Chupaka, thank you for your attempt/interest.

Here's a more accurate/current diagram of my network configuration - see attachment.

Here's all the info that I think is relevant (otherwise it would be 80kB's other stuff):
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s \
    mtu=1500 name=bridge-local priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1524 max-message-age=20s \
    mtu=1500 name=bridge-wan priority=0x8000 protocol-mode=none \
    transmit-hold-count=6

/interface vlan
add arp=enabled comment="" disabled=no interface=ether2-local-master l2mtu=\
    1520 mtu=1500 name=vlan2 use-service-tag=no vlan-id=2

/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:84 \
    master-port=none mtu=1500 name=ether1-gateway-scn speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:85 \
    master-port=none mtu=1500 name=ether2-local-master speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:86 \
    master-port=ether2-local-master mtu=1500 name=ether3-local-slave speed=\
    100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:87 \
    master-port=ether2-local-master mtu=1500 name=ether4-local-slave speed=\
    100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:88 \
    master-port=ether2-local-master mtu=1500 name=ether5-local-slave speed=\
    100Mbps

/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=bridge-local lease-time=3d name=server1

/interface bridge port
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=vlan2 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether2-local-master path-cost=10 point-to-point=\
    auto priority=0x80
add bridge=bridge-wan comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether1-gateway-scn path-cost=10 point-to-point=\
    auto priority=0x80

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no

/ip address
add address=192.168.88.1/24 broadcast=192.168.88.255 comment=\
    "default configuration" disabled=no interface=bridge-local network=\
    192.168.88.0

/ip dhcp-client
add add-default-route=yes comment="default configuration" \
    default-route-distance=0 disabled=no interface=bridge-wan use-peer-dns=\
    yes use-peer-ntp=yes
add comment="" disabled=no interface=vlan1 use-peer-dns=yes use-peer-ntp=yes

/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1

/ip firewall nat
add action=masquerade chain=srcnat comment="SCN NAT" disabled=no dst-address=\
    10.20.0.0/16 out-interface=bridge-wan src-address=192.168.88.0/24
Additional notes:
* I've bridged the Ethernet port 1, because I've tried bridging it with vlan1
* The firewall rules are the factory default ones

I thought I could just bridge the VLAN 1 with the WAN port and apply some rule that removes the VLAN tag, but frankly I have no idea on how to do that. I can bridge it like I've done for VLAN 2, but then it would NAT the VLAN, instead of bridging it...

Help would be appreciated.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: WAN bridging/NAT depending on VLAN ID

Tue Dec 15, 2009 12:10 pm

I thought I could just bridge the VLAN 1 with the WAN port and apply some rule that removes the VLAN tag
but if you bridge - there's no tag! tag should appear when you add VLAN interface to WAN port...
 
Pada
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: WAN bridging/NAT depending on VLAN ID

Tue Dec 15, 2009 7:52 pm

Thanks Cupaka, but I didn't really understand what you meant by that :(

I've eventually managed to get it working like I wanted:
It was actually very very simple:
  • Created VLAN1 & VLAN2 on the Ether4 (connected to the WiFi AP)
  • Created a bridge-WAN (with DHCP client enabled): Ether1 & VLAN1
  • Created a bridge-local (with DHCP server enabled): Ether2, Ether3, Ether5 & VLAN2
The differences between the previous sketch of my network setup and the one I have now are:
  • Removed Slave settings from Ether2-5
  • Placed Ether3&5 in Local bridge
  • Created a bridge-WAN: Ether1 & VLAN1
I'm not sure exactly where my mistakes were, but the biggest one was definitely that I had my Ether4 (connected the WiFi AP) set as a Slave of Ether2.

I've attached a screenshot (quick overview) of how my setup looks in WinBox:
working-network-setup.png
Here's a stripped down version of my config:



/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=proxy-arp auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s \
    mtu=1500 name=bridge-WAN priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s \
    mtu=1500 name=bridge-local priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:84 \
    master-port=none mtu=1500 name=ether1-SCN speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:85 \
    master-port=none mtu=1500 name=ether2-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:86 \
    master-port=none mtu=1500 name=ether3-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:87 \
    master-port=none mtu=1500 name=ether4-D-Link speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5E:9D:88 \
    master-port=none mtu=1500 name=ether5-local speed=100Mbps
/interface vlan
add arp=enabled comment="" disabled=no interface=ether4-D-Link l2mtu=1520 \
    mtu=1500 name=VLAN-WAN use-service-tag=no vlan-id=1
add arp=enabled comment="" disabled=no interface=ether4-D-Link l2mtu=1520 \
    mtu=1500 name=VLAN-local use-service-tag=no vlan-id=2
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=bridge-local lease-time=3d name=local-dhcp
/interface bridge port
add bridge=bridge-WAN comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether1-SCN path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether2-local path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge-WAN comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=VLAN-WAN path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=VLAN-local path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether3-local path-cost=10 point-to-point=auto \
    priority=0x80
add bridge=bridge-local comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=ether5-local path-cost=10 point-to-point=auto \
    priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no
/interface ethernet switch port
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
/ip address
add address=192.168.88.1/24 broadcast=192.168.88.255 comment="Local IP range" \
    disabled=no interface=bridge-local network=192.168.88.0
add address=192.168.0.51/31 broadcast=192.168.0.51 comment=\
    "D-Link 2100 AP on 192.168.0.50" disabled=no interface=ether4-D-Link \
    network=192.168.0.50
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
    interface=bridge-WAN use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 primary-dns=10.20.30.1
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=bridge-WAN
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=bridge-WAN
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=bridge-WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="SCN NAT" disabled=no dst-address=\
    10.20.0.0/16 out-interface=bridge-WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Home Wireless Segment" disabled=\
    no dst-address=192.168.0.0/24 dst-address-list="" out-interface=\
    ether1-SCN src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=D-Link disabled=no dst-address=\
    192.168.0.50/31 dst-address-list="" out-interface=ether4-D-Link \
    src-address=192.168.88.0/23
/ip route
add comment="" disabled=no distance=1 dst-address=10.20.0.0/16 gateway=\
    10.20.60.1 scope=30 target-scope=10
PS: What happened to the BBCode in this post of mine?!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Amazon [Bot], AtisE, rjuho, taravasya and 87 guests