Cisco IOS originates from a declarative environment versus Mikrotik ROS which relies more on explicit commands but you can basically do anything found in IOS (or even more).
Process:
create a vlan interface, set name to VLAN-100, use vlan id 100 and assign it to ethernet port 5.
create a dhcp client and assign it to interface VLAN-100.
ROS commands
# Create VLAN interface on port 5
interface vlan add name=VLAN-100 vlan-id=100 interface=ether5
ip dhcp-client add interface=VLAN-100
# Status commands. Optional add "detail" at the end of each line.
interface vlan print
ip dhcp-client print
ip route print
Now im stuck with how the port should be configured. I have configured the port in the cisco to be an accessport and send all packets without the vlan tag. In the mikrotik router I want to tag all packets with vlan 100.
am I supposed to have the interface set to secure or fallback? either way i can se the mac-adress landing in the right vlan in the cisco switch but i dont know how i can se the same information in the mikrotik router.
Is there any like converter bettween a cisco config and a mikrotik config? I think it would be easier for me who have been working with cisco products for 10 years to learn the syntax of the mikrotik.
Sorry, but I don’t grasp the logic here. If you’re connecting to an access port, then you have already untagged traffic in both directions and don’t need the vlan interface. Or have I missed anything?
Im using one port in the mikrotik on my local LAN, the other port that i want to assign to vlan 100 is supposed to collect an externa IP from my ISP. My goal is to route some traffic from my local LAN out with another public IP than the rest of my local LAN.
Ok, I assume your Cisco has the public ip address? And you want to route your local net from the mikrotik to the public ip on the Cisco using vlan 100? And you also want the untagged traffic on the access port to be passed on to the public ip using the interna vlan 100?
I don’t have the full picture to understand the purpose but you probably need to setup the port on the CIsco as a hybrid using pvid. Perhaps something like this:
interface ethernet5
port link-type hybrid
port hybrid vlan 100 tagged
undo port hybrid vlan 1
port hybrid pvid vlan 100
Maybe you can draw a picture or supply more detailed info about your needs …
I made a picture where im trying to show what Im thinking .
So the Cisco ASA will have an IP-adress in Vlan 100 delivered by the ISP. And my plan is that the mikrotik will collect a second IP from the ISP on vlan 100.
It dosent mather if i deliver vlan 100 as tagged or untagged against the switch. A trunk port would be nice but o dont know hot to set that up in the Mikrotik.
The primary goal is to get the mikrotik to take an address from the ISP on vlan 100 and have an static address on my inside LAN vlan 200.
Good picture, now I think I understand the objective (sort of anyhow)
If the MikroTIk is using only untagged traffic to/from vlan 100 and 200 it’s probably a piece of cake. Then you only need to setup the MikroTik to use two regular ether-ports with DHCP on the “vlan-100” side plus a basic firewall/NAT setup. A redundant default gateway requires some additional steps but that’s a different story. Some questions though to make sure I understand everything correctly:
You want to add an additional gateway for the local network (vlan-200) to the internet using a MikroTik?
All “local” access are done by untagged traffic using access ports to vlans that are only internal to the switch besides the ASA that’s utilizing tagged traffic?
The ISP supplies public ip addresses with DHCP on the vlan-100 network?
I think to key to everything is the switch and how it’s configured in regards to different type of ports i.e. Access/Hybird/Trunc. If it was preconfigured and delivered together with the ASA, you probably don’t have admin-access to the configuration and you need to ask your ISP.
You want to add an additional gateway for the local network (vlan-200) to the internet using a MikroTik?
All clients on the LAN uses the ASA with 192.168.1.1 as their default GW. I want some clients to use the mikrotik instead so there GW will be 192.168.1.3 and that is the IP-address of the mikrotik on vlan 200
All “local” access are done by untagged traffic using access ports to vlans that are only internal to the switch besides the ASA that’s utilizing tagged traffic?
Yes
The ISP supplies public ip addresses with DHCP on the vlan-100 network?
Yes
The ASA and the cisco switch are my own devices, so I have full acces to them. Configuring these are no problem for me. The problem is that i dont exaktly know what and how mikrotik behaves. What dose it mean with fallback, secure and so on on ethernet ports. How do i configure port 5 to a trunk that only allows vlan 100 for example and how do I create an SVI with vlan 100 and set it to get an IP-address with dhcp.
Some of these things ive figure out…for a minute and then somethings gone horribly wrong and I have a loop or something
I have read the wiki for what seems like hours trying to put the pussle together. I think that me working with one vendor for so long have scarred me for life
Btw, normally you don’t have to alter anything on the physical interfaces. You just have to add some basic stuff like ip address subnets etc, much like on the ASA. What ports are you planning to use on the MikroTik for the different vlans?
Port 5 for vlan 100 (outside) and port 1 for vlan 200 inside.
Port 1 is a member of bridge 1 and has a static IP
Port 5 is now a member of bridge 2 together with vlan 100 dont know if this is the way to do it.
Port 5 is connected to the cisco switch and that interface is configured as an accessport. (vlan 100) I can se the mac address from bridge2 in the cisco switch and it is assigned to vlan 100 as expected. But i cant se any mac addresses on port 5 or in vlan 100 in the mikrotik. Feels like im missing one part.
Well, you can of course a bridge to a group of ethernet ports together but let’s start with keeping it as simple as possible.
Since both ports are connected to the switch through access ports there is no need to tag/untag traffic through a vlan-interface on the MikroTik and we can instead use the ordinary ethernet interfaces.
I assume you already have an internal DNS server on your local network so we just assign a new gateway address (that obviously must differ from the gateway address on the ASA)
The settings below are based on the following assumptions
Eth port 5 (facing vlan-100) => WAN, Internet (DHCP)
Eth port 1 (facing vlan-200) => LAN, 192.168.0.250/24 in this example.
# Use symbolic names for the interfaces to make it more easy to read
# (it's also possible to rename the interface directly)
/interface list
add name=LAN
add name=WAN
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
# Setup LAN with gateway address 192.168.0.250 and disable routing to it.
ip address add address=192.168.0.250/24 interface=ether1
ip route add dst-address=192.168.0.0/24 type=unreachable
# Setup WAN with DHCP. Default route will be added dynamically by default.
ip dhcp-client add interface=ether5
# Establish NAT for outgoing traffic (similar to ios “ip nat inside”)
# Action “masquerade” dynamically utilizes the current ip-address assigned to
# the WAN port as its outgoing source address.
ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
# Some basic firewall filter rules…
#
# Ios is in general more flexible with grouping, pools, ttl, etc but you can do more
# or less the same with Ros using scripts and the scheduler, it’s just a lot more
# tedious. Btw, “fasttrack” below will bypass the firewall for already accepted and
# established NAT-connections and will speed up things tremendously as well as
# significantly reduce CPU load especially on smaller devices.
# More examples: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add action=drop chain=forward comment="Drop not NATed from WAN" connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to local routes" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Allow only local addresses" in-interface-list=LAN src-address=!192.168.0.0/24
add action=drop chain=input comment="Drop everything else"
# disable some management services
ip service set telnet disabled=yes
ip service set ftp disabled=yes
ip service set api disabled=yes
ip service set api-ssl disabled=yes
# enable some management services to be accessible only from the LAN
ip service set winbox address=192.168.0.0/24
ip service set ssh address=192.168.0.0/24
ip service set www address=192.168.0.0/24
Ok, I will try this. Didnt know that you could use the ethernet interfaces as routed interfaces. I thought that it was just switched interfaces, this makes it much easier,
I resetted the mikrotik and redid every thing and I followed your example. When Im done I can see that dhcp-client on ethernet5 is stopped. If i try to enable it I get this error
“Couldn´t change DHCP Client - can not run on slave interface (6)”
