Purchased and RB1000 to be used in a heavy traffic data room as a core router (term used loosely).
Here’s what I want to do:
*Bring in (1) physical interface (and its 13 IPs) facing public (WAN)
*Configure multiple VLANS to segregate department traffic, keeping it on separate subnets
*Configure gateway/route by subnet. IE: vlan-1: 192.168.100.0 network traffic routes via public virtual interface 2
*Enact traffic shaping and bandwidth limiting to different degrees across the network
*Restrict Inter-VLAN routing to 1-2 subnets and even then only a few IPs
That being said, what’s my best place to start?
I’ve setup a public ethernet interface an a private and have assigned them ip information. I think I’m missing something as traffic doesn’t pass from private to public and out to the net.
I’m really interested in learning this product. I’m so use to the way things are done on Cisco I’m trying to unlearn them to a degree. I’m in the Texas (Houston) if anyone wants to chat offline for a few or meetup and school me, I’d appreciate it.
*Bring in (1) physical interface (and its 13 IPs) facing public (WAN)
Just add IP address to the interface, /ip address add address=
There is no such thing like secondary address, you can add as many address you want.
*Configure multiple VLANS to segregate department traffic, keeping it on separate subnets
You can configure VLAN on Ethernet like media interface (Ethernet, wireless).
/interface vlan menu is used for VLAN, you can specify parent-interface and VLAN-ID
*Configure gateway/route by subnet. IE: vlan-1: 192.168.100.0 network traffic routes via public virtual interface 2
It is not a problem, /ip route add gateway=192.168.x.x dst-address=192.168.100.0/24 (network will be reachable over the configured gateway).
*Enact traffic shaping and bandwidth limiting to different degrees across the network
*Restrict Inter-VLAN routing to 1-2 subnets and even then only a few IPs
There is the question, how you want to achieve it.
I’m really interested in learning this product. I’m so use to the way things are done on Cisco I’m trying to unlearn them to a degree. I’m in the Texas (Houston) if anyone wants to chat offline for a few or meetup and school me, I’d appreciate it.
I added a my ISP IP/Gateway appropriately so traffic can route from 192.168.100.0/24.
Setup Masquerading so hide the private IPs from the big scary Interweb.
Setup multiple vlans for my needs and assigned IP addresses to their interface
( It is not a problem, /ip route add gateway=192.168.x.x dst-address=192.168.100.0/24 (network will be reachable over the configured gateway).)
I assumed you meant 192.168.x.x would be the gateway for the 192.168.100.0/24 network? If that case I would enter the vlan gateway interface for each subnet, no? I also want to create ACL’s between the interfaces to prevent certain traffic or sometimes all traffic from passing each way.
Traffic shaping/queueing is a whole other monster I need to work on. Just want to get the back functionality up and tie our 7 networks together.
The wiki explains all of that in great detail and should be fairly easy to understand for someone not building a configuration from scratch but porting over an existing router.
It’s pretty much a 1st-time configuration on an existing network with horrible routing gear (3com officeconnect router). I’m very much accustomed to Cisco so it’s taking me a while to get used to RouterOS.
Some of the people I’ve talked to are very helpful but there’s a language barrier sometimes so I have to read things a couple times to understand.
If you’re coming from Cisco, for firewall purposes try to stop thinking in ACLs as ACLs only allow you to specify IP addresses. The firewall filters in RouterOS are considerably more expressive. It might help to read documentation on iptables/netfilter. netfilter.org has outstanding documents available. RouterOS is based on the same concepts.
Assume three local network interfaces: lan1, lan2 and lan3. The WAN interface is named wan, and everyone can pass traffic to it. You want to block all traffic flow initiated from lan1 to lan2 or lan3, lan2 can initiate traffic to TCP ports 80 and 443 on lan3 and lan3 can talk to everyone.
Traffic destined to the router itself is in the ‘input’ chain. Traffic generated by the router itself is in the ‘output’ chain. Traffic flowing through the router is in the ‘forward’ chain.
/ip firewall filter
add chain=forward action=accept connection-state=established comment="Statefully allow all established traffic to flow"
add chain=forward action=accept connection-state=related comment="Statefully allow all related traffic to flow"
add chain=forward action=accept out-interface=wan comment="Everyone may talk to the WAN"
add chain=forward action=accept in-interface=lan2 out-interface=lan3 protocol=tcp dst-ports=80,443 comment"lan2 may talk to TCP 80/443 on lan3"
add chain=forward action=accept in-interface=lan3 comment="lan3 may talk to everyone"
add chain=forward action=drop comment="drop everything else"
I’m having to break the thought process of Cisco. It’s been years since I’ve worked with Iptables or ipfw (back when I was hooked on Unix) so I’ll take your advice.
I’m going to start simple and get all my traffic moving get a light lockdown in place then get hardcore once I have a better understanding.
