Hi Mikrotik Folks,
I’m trying to setup a main network with several VLANs hidden by NATs (or something similar) on a CRS125-24G-1S-RM:
network.png
Before setting up multiple VLANS, as show above, I simplified my setup to have just one VLAN behind a NAT. The main network is on the 192.168.1.0/24 subnet, the VLAN is on the 10.10.10.0/24 subnet. The CRS tags incoming traffic on ether17 and ether22 with a VLAN ID of 2. All ports have their master port set to ether1.
/interface vlan
add interface=ether1 l2mtu=1584 name=VLAN2 vlan-id=2
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether22,ether17
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,switch1-cpu vlan-id=2
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=2 ports=ether22,ether17 sa-learning=yes
/interface ethernet switch vlan
add ports=ether1,ether17,ether22,switch1-cpu vlan-id=2
/ip address
add address=192.168.1.1/24 comment="Main LAN" interface=ether1 network=192.168.1.0
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.10.10.0/24 to-addresses=192.168.1.2
I’ve verified that the VLAN portion of this works: hosts on ether 17 and ether22 can ping each other. When I add a new address, (ie.,
/ip address add address=10.10.10.1/24 interface=VLAN2
), I can ping the 192.168.1.0/24 subnet from the 10.10.10.0 subnet (and vice versa). However, this situation is not desirable: I want the VLAN2 subnet to be hidden behind a NAT.
Does anyone have any suggestions on how to configure the CRS to hide the 10.10.10.0/24 VLAN subnet behind a NAT?
So far, I have not been able to figure out the right combination of routing table rules/NAT settings that ensures that traffic leaving the VLAN2 subnet is NATted; I either can’t access the main pan from the VLAN, or I go through the main routing table.
Thanks.