Beginner ... setting up a 24 port CRS125-24G-1S-2HnD-IN CloudSwitch device

RouterOS Beginner Basics
1

Hello all,

Thank you for taking the time to ready my post and hopefully provide me some guidance. I am setting up a 24 port CRS125-24G-1S-2HnD-IN CloudSwitch device and seem to not have everything quite right. I've setup my Ethernet ports, my wifi port, assigend IP addresses, setup dhcp servers, setup firewall rules and setup NAT BUT for some reason I still cannot get from my private networks (192.168.[120,143].0/20 to the interwebs. Any help you can provide would be HUGELY appreciated. For starters here's the text backup of my current config ->

mar/13/2016 18:55:04 by RouterOS 6.34.3

software id = 87FH-0MLK

/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys name=WPA2
supplicant-identity="" wpa-pre-shared-key=BlahBlahBangedyBangBang
wpa2-pre-shared-key=BlahBlahBangedyBangBang
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n dfs-mode=radar-detect
disabled=no mode=ap-bridge security-profile=WPA2 ssid=MikroTik-AP
wireless-protocol=802.11
/ip pool
add name=dhcp_pool1 ranges=192.168.143.50-192.168.143.254
add name=dhcp_pool2 ranges=192.168.120.50-192.168.120.254
add name=dhcp_pool3 ranges=192.168.121.50-192.168.121.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=wlan1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether2 name=dhcp2
/ip address
add address=77.149.123.128/29 interface=ether1 network=77.149.123.128
add address=192.168.120.1/24 interface=ether2 network=192.168.120.0
add address=192.168.121.1/24 interface=ether3 network=192.168.121.0
add address=192.168.122.1/24 interface=ether4 network=192.168.122.0
add address=192.168.123.1/24 interface=ether5 network=192.168.123.0
add address=192.168.124.1/24 interface=ether6 network=192.168.124.0
add address=192.168.125.1/24 interface=ether7 network=192.168.125.0
add address=192.168.126.1/24 interface=ether8 network=192.168.126.0
add address=192.168.127.1/24 interface=ether9 network=192.168.127.0
add address=192.168.128.1/24 interface=ether10 network=192.168.128.0
add address=192.168.129.1/24 interface=ether11 network=192.168.129.0
add address=192.168.130.1/24 interface=ether12 network=192.168.130.0
add address=192.168.131.1/24 interface=ether13 network=192.168.131.0
add address=192.168.132.1/24 interface=ether14 network=192.168.132.0
add address=192.168.133.1/24 interface=ether15 network=192.168.133.0
add address=192.168.134.1/24 interface=ether16 network=192.168.134.0
add address=192.168.135.1/24 interface=ether17 network=192.168.135.0
add address=192.168.136.1/24 interface=ether18 network=192.168.136.0
add address=192.168.137.1/24 interface=ether19 network=192.168.137.0
add address=192.168.138.1/24 interface=ether20 network=192.168.138.0
add address=192.168.139.1/24 interface=ether21 network=192.168.139.0
add address=192.168.140.1/24 interface=ether22 network=192.168.140.0
add address=192.168.141.1/24 interface=ether23 network=192.168.141.0
add address=192.168.142.1/24 interface=ether24 network=192.168.142.0
add address=192.168.143.1/24 interface=wlan1 network=192.168.143.0
/ip dhcp-server network
add address=192.168.120.0/24 dns-server=192.168.120.1 gateway=192.168.120.1
add address=192.168.143.0/24 dns-server=192.168.143.1 gateway=192.168.143.1
/ip dns
set allow-remote-requests=yes servers=68.87.68.162,68.87.74.162
/ip firewall address-list
add address=192.168.120.0/24 list="120 LAN"
add address=192.168.143.0/24 list=143LAN
/ip firewall filter
add chain=input comment="Allow access to router from 120 LAN"
src-address-list="120 LAN"
add chain=input comment="Allow access to router from 143 LAN"
src-address-list=143LAN
add chain=input comment="Allow established connections to router"
connection-state=established
add chain=input comment=
"Allow related connections to router (i.e for ftp client on router)"
connection-state=related
add action=drop chain=forward comment="Drop all invalid packets"
connection-state=invalid
add chain=forward comment="Allow connections from wireless LAN"
connection-state=new in-interface=wlan1
add chain=forward comment="Allow connections from .120 LAN" connection-state=
new in-interface=ether2
add chain=forward comment="Allow established connections" connection-state=
established
add chain=forward comment="Allow realted connections" connection-state=
related
add action=drop chain=forward comment="Drop all other forward chain traffic"
add action=drop chain=input comment="Drop all other traffic"
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=
192.168.143.0/24 to-addresses=77.149.123.130
add action=src-nat chain=srcnat out-interface=ether1 src-address=
192.168.120.0/24 to-addresses=77.149.123.129
add action=dst-nat chain=dstnat comment="dst-nat to allow TCP port 80 http tra
ffic on .129 to BouncyBaloons.net" dst-address=77.149.123.129 dst-port=
80 protocol=tcp to-addresses=192.168.120.3
add action=dst-nat chain=dstnat comment="dst-nat to allow TCP port 80 http tra
ffic on .130 to BouncyBaloons.net" dst-address=77.149.123.130 dst-port=
80 protocol=tcp to-addresses=192.168.120.3
add action=dst-nat chain=dstnat comment=
"dst-nat to allow TCP port 53 DNS traffic on .130 to BouncyBaloons.net"
dst-address=77.149.123.129 dst-port=53 protocol=tcp to-addresses=
192.168.120.3
add action=dst-nat chain=dstnat comment=
"dst-nat to allow TCP port 53 DNS traffic on .130 to BouncyBaloons.net"
dst-address=77.149.123.130 dst-port=53 protocol=tcp to-addresses=
192.168.120.3
add action=dst-nat chain=dstnat comment=
"dst-nat to allow UDP port 53 DNS traffic on .129 to BouncyBaloons.net"
dst-address=77.149.123.129 dst-port=53 protocol=udp to-addresses=
192.168.120.3
add action=dst-nat chain=dstnat comment=
"dst-nat to allow UDP port 53 DNS traffic on .130 to BouncyBaloons.net"
dst-address=77.149.123.130 dst-port=53 protocol=udp to-addresses=
192.168.120.3
/ip route
add comment="Default gateway" distance=1 gateway=77.149.123.134
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/Chicago
/system ntp client
set enabled=yes primary-ntp=199.102.46.77 secondary-ntp=129.250.35.250

I can successfully connect to both my x.x.120.0/24 ether1 network and my x.x.143.0/25 wifi network and use winbox to connect to my router on both networks. When I use the Winbox tool I can successfully ping 8.8.8.8 but when I'm connected to ether1 on IP 192.168.120.7 I cannot ping 8.8.8 using my windows command prompt. Further I don't see the traffic spattering on any of my firewall rules (which are rather basic as you can see). I believe I may have something borked in my NAT setup but I can't see where. What else should I configure? Any replies are surely appreciated. Have a nice day.

jameseastman

2

You meen connected on ether2 I assume, since ether1 is your WAN port.

3

Yes, that’s correct. Ether1 is my WAN port and my xx.xx.120.0/24 is on my ether 2 port. WiFi is still xx.xx.143.0/24. Sorry about that mix up.

jameseastman

4

Soooo … anyone see anything I need to change to get things going?

jameseastman

5

Hi jameseastman,

I think your issue is that you didn’t assign the correct IP addresses to your WAN interface (ether1).
You shouldn’t assign the network address (= the first address of your /29 IP range). So remove the current IP on ether1.

/ip address
remove [find address="77.149.123.128/29"]

Because you are using two outgoing addresses you need to add those two in your configuration. You must add every IP address you are using (otherwise packets will not be able to find their way back to your router).

/ip address
add address=77.149.123.129/29 interface=ether1 network=77.149.123.128
add address=77.149.123.130/29 interface=ether1 network=77.149.123.128

Hope this helps!

Best regards,
Lui

6

He’s using a switch as a router.

Wouldn’t he run into performance issues later down the road?

Sent from my SM-G920I using Tapatalk

7

Arcee,

This is a home / small office application. I don’t foresee being able to stress this hardware in this situation. I CAN however use this platform to do plenty of learning.

luidoltp,

I see now. All the examples I followed used CIDR notation on the WAN port soooo … I thought I too should use the CIDR block to describe the small IP subnet my ISP provided me. You’re saying I need to assign each of my 5 static IPs to my WAN port so the routing knows how to act on the way back. I get it. I’ll try that when I get home from work this evening. I will report my results back to this thread.

All,

Many thanks.

jameseastman

8

All,

The advice luidoltp provided worked. All is well in wireless land now.

jameseastman

9

It is similar to connecting a big gigabit switch to an RB2011.