Access mikrotik management on other port then eth1

RouterOS Beginner Basics
1

Hi,
I’m pretty new to mikrotik and “professional” networking as well, so please do not judge me for dump questions.
I tried to show you my targeted network infrastructure as good as i can.

My important components:
Router for Internet, Wi-Fi and DMZ insecure stuff
Fritzbox 6660:

  • IP: 10.10.10.1/24

Router for Firwalling between DMZ and Secure Networks
OPNsense installed in a Unraid VM on a MiniServer Hardware

  • WAN IP: 10.10.10.2/24
  • LAN IP: 10.10.11.1/24
  • LAN DHCP 10.10.11.100/24 - 10.10.11.200/24
  • Static Lease for Mikrotik Port 10.10.11.2/24

Router / Switch for VLAN Management
Mikrotik CRS310

  • WAN Port: sfp-sfpplus1 (NOT ETH1)
  • WAN IP : 10.10.11.2/24
  • VLAN Configuration like you can see in the Netplan (could also be done in opnsense but that’s a later project)

Now to my problem:
If I plug only the connection between fritzbox ↔ opnsense ↔ mikrotik I can ping 10.10.11.2 (mikrotik address) without any issues out of the 10.10.10.0/24 network.
But I can just access Mikrotik management if I connect one of the other Ethernet port of the mikrotik to the 10.10.10.0/24 network and access with winbox via MAC-Address.
If I plus an PC or so in the LAN Port of opnsense it get an IP address and can emediatly access the internet and the other devices on 10.10.10.0/0.
Important to say that png is working from Mikrotik to any other device in 10.10.10.0/24.

Could someone help me to access mikrotik management via the wan port and make a configuration for my other vlan’s?
That would be awesome!

Kind regards,
Stephan

2

Could you export the config of the CRS310 and post it here?

export file=anynameyouwish

3

First, thank you for the reply.
Here are the settings
settings.rsc (1015 Bytes)

4

So the CRS310 is acting as a router getting its WANIP from pensense and then creating other vlans???
Cant do this on fritz box or opensense??

5

Yes that’s true.
OPNsense could do the VLANs as well, but Fritzbox is not able to do VLAN’s
Fritzbox is needed for connecting to provider and making WiFi.
I just want to let Mikrotik Switch the VLANs because of performance. Route everting to opnsense, Mikrotik use CPU instead of switching chip.
Or am I wrong? It would just bring not benefits doing that. Just one more hop for switching between VLAN’s.


VLAN’s are right now not the problem because till now I do not even use VLANs.
That would be my next step because I do not have that much experience in that as an old Endpoint Management Horse :smiley:

6

I just saw that the WAN subnet and the VLAN subnet are two different ones. So the setup wouldn’t be as hard as I thought it would be. I will assume ether1 would be access port for VLAN13 and ether2, 3 and 4 for VLAN12. Firstly, you will remove all bridge port entries because there is no existing bridge. Then you will create a bridge and add ether1-4 in it and set up pvids for them after which you will add two VLAN interfaces and add addresses to them. Next step would be adding bridge VLAN table entries and enabling VLAN filtering on the bridge:

/interface bridge port remove 0,1,2,3,4,5,6

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1 pvid=13
add bridge=bridge interface=ether2 pvid=12
add bridge=bridge interface=ether3 pvid=12
add bridge=bridge interface=ether4 pvid=12

/interface vlan
add interface=bridge name=VLAN12 vlan-id=12
add interface=bridge name=VLAN13 vlan-id=13

/ip address
add address=10.10.12.1/24 network=10.10.12.0 interface=VLAN12
add address=10.10.13.1/24 network=10.10.13.0 interface=VLAN13

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=12
add bridge=bridge tagged=bridge vlan-ids=13

/interface bridge set bridge vlan-filtering=yes

If you’re using a firewall and want to allow traffic between the sfp and the VLAN (assuming by the same color of the arrows which threw me off in the first place), then you would need to add firewall rules which allow it