I had a simple setup with the ISP-provided modem/gateway plus an ASUS router setup in "Access Point" mode. Network was "flat", single subnet.
After a few weeks of researching, reading, etc. I opted to get an RB5009 Mikrotik, based on the great reviews, flexibility, etc. I knew it would be a learning curve and I tried my best to spend the last 2 weekends reading documentation, forum posts, and viewing videos.
I got the RB5009 working as a router, keeping everything else the same (i.e. single subnet).
I am now trying to expand the configuration with the goal of adding a few VLANs. Since I have an RB5009, I think I need to use "Router on a Stick" (ROAS) and configure physical interfaces with VLANs.
I am also trying to make use of the ASUS router (RT-AX88U Pro), configuring VLANs per SSIDs.
My expectation was that if I configured the VLANs correctly, I would have a trunk between ether7 on the RB5009 and LAN1 on the AX88UPro. With that in mind, I also expected clients connecting on either of the 2 "guest" SSIDs on the ASUS to be able to "see" the DHCP servers I setup on the RB5009 via the LAN1 (ASUS) trunk to the ether7 port on the RB5009.
But that is not occurring... no IP obtained on the wireless clients. And I do not know if this is because of an issue on the RB5009 or on the AX88UPro or both.
I do not even know if this can work at all! Maybe I need to buy a different type of AP (another Mikrotik or something else with a more robust VLAN/SSID setup option).
Here is the RB5009 exported config:
Code: Select all
# 2024-03-24 16:19:18 by RouterOS 7.11.3
# software id =
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add name=VLAN-BRIDGE-VL10-HOME
add name=VLAN-BRIDGE-VL20-GUEST1
add name=VLAN-BRIDGE-VL25-GUEST-2
add admin-mac=78:9A:18:BB:C3:66 auto-mac=no comment=defconf name=main-bridge
/interface ethernet
set [ find default-name=ether3 ] comment="ether3 NOT in main bridge"
set [ find default-name=ether7 ] comment=\
"NOT in main bridge, but has 3 VLANs for a trunk for AX88UPro"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether7 name=VLAN_10_E7 vlan-id=10
add interface=ether7 name=VLAN_20_E7 vlan-id=20
add interface=ether7 name=VLAN_25_E7 vlan-id=25
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_vlan10_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_vlan20-guest1 ranges=192.168.20.2-192.168.20.127
add name=dhcp_vlan25-guest2 ranges=192.168.25.128-192.168.25.254
/ip dhcp-server
add address-pool=default-dhcp interface=main-bridge lease-time=10m name=\
defconf
add address-pool=dhcp_vlan10_home interface=VLAN-BRIDGE-VL10-HOME name=dhcp1 \
relay=172.16.10.1
add address-pool=dhcp_vlan20-guest1 interface=VLAN-BRIDGE-VL20-GUEST1 name=\
dhcp2 relay=192.168.20.1
add address-pool=dhcp_vlan25-guest2 interface=VLAN-BRIDGE-VL25-GUEST-2 name=\
dhcp3 relay=192.168.25.1
/interface bridge port
add bridge=main-bridge comment=PC interface=ether2 pvid=10
add bridge=main-bridge interface=ether4 pvid=10
add bridge=main-bridge comment=\
"AX88UPro non-tagged (access via 192.168.88.0 IP address)" interface=\
ether5 pvid=10
add bridge=main-bridge interface=ether6
add bridge=main-bridge interface=ether8
add bridge=main-bridge comment=defconf interface=sfp-sfpplus1
add bridge=VLAN-BRIDGE-VL10-HOME interface=VLAN_10_E7 pvid=10
add bridge=VLAN-BRIDGE-VL20-GUEST1 interface=VLAN_20_E7 pvid=20
add bridge=VLAN-BRIDGE-VL25-GUEST-2 interface=VLAN_25_E7 pvid=25
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=main-bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=main-bridge network=\
192.168.88.0
add address=192.168.1.253/24 comment="2nd WAN IP for accessing ISP gateway" \
interface=ether1 network=192.168.1.0
add address=172.16.10.1/24 interface=VLAN-BRIDGE-VL10-HOME network=\
172.16.10.0
add address=192.168.20.1/24 interface=VLAN-BRIDGE-VL20-GUEST1 network=\
192.168.20.0
add address=192.168.25.1/24 interface=VLAN-BRIDGE-VL25-GUEST-2 network=\
192.168.25.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.1.254 to-addresses=\
192.168.1.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22022
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Here is a network diagram:
Am I on the right path? Is this just folly?