Doable or stupid configuration!!

Hi,
I have an old physical OPNSense router/FW an want to add an virtual OPNSense router/FW for loadbalancing in my network.
I only have one ISP connection.
I also have an CRS326-24G-2S+IN and if i understand correct i can use eth1 as an DHCPClient and get my IPS information.
I want all traffic to go through my physical and virtual router, for vlan, dns, dhcp etc. etc. and NOT the CRS326-24G-2S+IN
Is this doable?
This is the config i think needed on CRS326-24G-2S+IN
-ether1

• DHCPClient to get ISP info/config

-ether3

• Physical router WAN connection
  IP Address: 10.10.10.2
  srcnat with masquerade

-ether4

• Virtual router WAN connection
  IP Address: 10.10.10.3
  srcnat with masquerade

If i’m understanding correct this config will pass all traffic from/to my ISP to WAN port on routers!

Now for the LAN side

-ether5

• Physical router LAN connection
  IP Address: 192.168.88.2
  srcnat with masquerade

-ether6

• Virtual router LAN connection
  IP Address: 192.168.88.3
  srcnat with masquerade

If i’m understanding correct this config will pass all traffic from/to my “Bridge-ports” to LAN port on routers!
I’m also configuring VLAN on layer 2 and 3 so they can exit the bridge-port

Is my assumptions correct or is’t a better configuration to use?

Br
JT

Hi,
The CRS326 is a switch.

It can do full routing with NAT, firewall etc, but it isn’t very fast. (Fine if your internet is not very fast)

https://mikrotik.com/product/crs326_24g_2s_in#fndtn-testresults

It can do L3 routing in hardware where it is very fast, but with no NAT, and only access lists to block or allow traffic.
(for high-speed internal traffic)

https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading

You can likely get it to work, but you might want to consider its design a bit if you want it to be fast. Eg. Put more on the OPNSense devices.

Hi,
Thank you for the reply.
Yes, the opnsens devices is doing all the routing and FW.
I just want to use the CRS326 to get the ISP-connection, send all the traffic to the HA opnsense devices and then back to the CRS326(lan)
Opnsens has all the network config, FW, VLAN, dhcp, dns etc. etc.
I dont know how to configure the CRS326 to do that.
Sorry for the poorly worded question.
Br
JT

Hi,
Using the crs326 to get IP from ISP and then spread it around, requires NAT.

The following is something near a config which should do that.
Unfortunately, the default CRS routeros config is very poor for use as a router,
I have borrowed most of a default configuration especially the Firewall from a Mikrotik Hex router.

This has ether1 being the WAN interface, with DHCP client on it.

You would apply the config, section by section to the CRS. Ideally reviewing it before you apply it.

The config has an ipv6 firewall, At least initially I would apply the ipv6 firewall, but disable ipv6 on the device.
Then tweak to suit yourself.
Note: I am assuming the config is applied to a crs with near a default config (not empty) on it.

# Maybe CRS full firewall config.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

** Remove ether1 from bridge, so it can be wan.

/interface bridge port
set [find where interface=ether1] disabled=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip dhcp-client
add comment=defconf interface=ether1

#likely already has this configured.
#/ip address
#add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.240

/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1

/ip dns
set allow-remote-requests=yes


/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

## Default rule to block 
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
    
    
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN


#Optional but stuff I would recommend
#Leaves main access via winbox (there is mac telnet still)

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 settings
set disable-ipv6=yes

Thank you.
I’ll try it.
Worst case i go back to ISP->router->crs326 config.

Some more configuration

This bit sets up 10 ports to connect to OPNSense1 output and 10 ports to connect to OPNSense2 output.
They are layer2 access ports, assuming all IP stuff is handled by the OPNSense device.

Ether1-4 are unchanged.
ether1 is Wan still
ether2 is Lan still (connect to OPNSense1 input)
ether3 is LAN still (Connect to OPNSense2 input)
ether4 is LAN still (Management)

ether5-14 are access ports put on VLAN 10, one of these ports is connected to the output of OPNSense1
ether15-24 are access ports put on VLAN 20, one of these ports is connected to the output of OPNSense2

/interface bridge port
set [find where interface=ether5] comment=OPNSense1 frame-types=admit-only-untagged-and-priority-tagged pvid=10 bridge=bridge
set [find where interface=ether6] comment=OPNSense1 frame-types=admit-only-untagged-and-priority-tagged pvid=10 bridge=bridge
#repeat for ether7-14...
set [find where interface=ether14] comment=OPNSense1 frame-types=admit-only-untagged-and-priority-tagged pvid=10 bridge=bridge


/interface bridge port
set [find where interface=ether15] comment=OPNSense2 frame-types=admit-only-untagged-and-priority-tagged pvid=20 bridge=bridge
set [find where interface=ether16] comment=OPNSense2 frame-types=admit-only-untagged-and-priority-tagged pvid=20 bridge=bridge
#repeat for ether 17-24...
set [find where interface=ether24] comment=OPNSense2 frame-types=admit-only-untagged-and-priority-tagged pvid=20 bridge=bridge

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10, 20

/interface bridge
set bridge vlan-filtering=yes