Zetera
April 2, 2019, 10:28pm
1
Need to configure a mikrotik to reflect the following:
What is needed is one port as a WAN uplink thru which one can assign a static public to the Mikrotik, and a second port that is also “connected” to the circuit to which will connect to a switch to be used to connect devices that will use a static public IP address. The other ports are all LAN ports with private DHCP assignments.
Is there anything I can look at to accomplish this or is there a simple configuration that can get me by for the time being?
mkx
April 3, 2019, 5:51am
2
Do you forsee use of firewall on CCR to defend other devices with public IPs?
Zetera
April 3, 2019, 4:06pm
4
This is my current configuration.
# apr/03/2019 11:49:21 by RouterOS 6.44.1
# software id = IF8Y-2BLH
#
# model = CCR1036-8G-2S+
# serial number = 6AAE05716373
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1d10m name=\
dhcp1
add address-pool=dhcp disabled=no name=dhcp2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add disabled=yes interface=sfp-sfpplus1
add bridge=bridge1 interface=ether1
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=bridge1 list=LAN
add list=LAN
/ip address
add address=192.168.88.1/23 comment=defconf interface=bridge1 network=\
192.168.88.0
add address=192.168.88.1/23 interface=ether1 network=192.168.88.0
add address=74.218.160.34/27 interface=sfp-sfpplus1 network=74.218.160.32
/ip dhcp-client
add dhcp-options=hostname,clientid interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
add address=192.168.88.0/23 gateway=192.168.88.1 netmask=23
/ip dns
set servers=4.2.2.4,8.8.4.4,24.25.5.61
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \
src-address-list=allow_list
add action=accept chain=input src-address-list=allow_list
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=74.218.160.32
/system clock
set time-zone-name=America/New_York
/system identity
set name="MikroTik Lab"