I am trying to setup a Routerboard 750GL running ROS 5.24 as a “router on a stick” but I want to add ports 2 through 5 to the “private” side (vlan3) of the network.
The layout is as follows. I have a cisco switch that has three vlans on it. Vlan1,2,3. Vlan1 is for local management, Vlan2 is for public internet traffic. Vlan3 is for private traffic that needs to be natted by the “router on a stick”.
I have built on Port 1 of the 750GL the necessary vlan interfaces and given them ip addresses as follows.
I setup a default gw of 10.1.1.1 (which is an SVI on the cisco switch in vlan2) and it responds to ping from the MT using vlan2 as source.
I also setup another SVI on the switch in vlan 3 and it can ping that ip from the MT with a source of vlan3.
I can’t ping from vlan3 ip address to vlan2 ip address on the MT. There are no firewall rules for Filter,Nat,or Mangle. So I should be able to ping from one local interface to the other I would think. Any ideas here?
Once I get the nat working I want to add ports 2 through 5 to vlan3 using the onboard switch chip so that the router cpu does not get hammered by vlan3 traffic. Any ideas here would also be greatly appreciated.
I must not be understanding the whole scenario, so can you clarify for me…
Are you trying to ping 10.1.1.3 (the MT vlan2 IP) from the same MT (that has 172.17.1.254 configured as vlan3) or from an external device? If from the same MT, you’re right, there is no reason the MT shouldn’t be able to ping itself. If from an external device, this would have nothing to do with the MT config but rather the router between that device and the MT. There would need to be a router routing traffic between vlan2 and vlan3 for this to work (if not local to local on the same device).
As for the ether2-ether5 and vlan3 question, in the beginning I thought I understood that you wanted to NAT this traffic within the MT to vlan3, but later in the post, I understood that you want to bridge ether2-ether5 to vlan3.
If I try not to analyze every word individually, perhaps this is what you are looking for:
From your existing config:
/ip fir nat add chain=srcnat action=masquerade out-interface=vlan3
Make sure your preferred default gateway is 172.17.1.0 in order for the traffic to be NATd. If you don’t want to change your default gateway from the management vlan, then also do the following (update the XXX in the first line to the gateway address):
/ip route add gateway=172.17.1.XXX routing-mark=PrivateVlan
/ip fir man add chain=prerouting action=mark-routing in-interface=ether2 out-interface=vlan3 new-routing-mark=PrivateVlan
If you additionally want to block private traffic from reaching other vlans then add the following to the above:
/ip fir filt add chain=forward action=drop in-interface=ether2 out-interface=!vlan3
It’s a little difficult to understand what I am trying to do. So I created this diagram to hopefully clear up what I am trying to do.
Each vlan on the MT can talk to the correct vlan on the Cisco. What I can’t get to work is for the MT to be the router between vlans. It’s as if the vlan interfaces are in seperate vrf and can’t see each other. See below.
I can see the packets going through the input chain but thats as far as they seem to go.
Here is the relative config from the MT and Cisco.
