Hi i have at the moment following Question how to configure best that scenario:
The Idea is to have WAN on ether1 with NAT translation anfd internal 5 VLAN which are completely separated but with some IP based routes for access towards the VLANs.
As well i need a port forward for Port 80/443 for an webappliance using letsencrypt.
Is it best to configure 5 Bridges containing always the WAN Port
Or configuring 6 Bridges on for NAT and then adding on that bridge the bridges for VLAN?
4 of the VLAN shall contain a individual Wifi Access point as well DHCP with static and dynamic addresses,
On the Miktotik devices poert 2-4 will be configured as trunk port and every shown switch is configured as Access Switch ( 1 Trunk for connection to mikrotik rest of the ports as access port for the needed VLAN).
Beware that RouterOS also allows you to use Let’s Encrypt to secure its HTTPS (WebFig) interface. Without a fair bit of trickery, you can’t get 2+ devices to do that through a single set of port-forward rules. What you might want to do instead is use the MT router as a CA (same link, higher up) to mint internal TLS certificates for itself and for this other web applicance of yours. Then all you need do is install the public half of the router’s CA key into all the client machines, and they’ll trust both devices’ certificates, being signed by the private half.
There’s something unclear about why you bring this question up here, though.
If the FritzBox is running in bridge mode, then what you want to know is that “port forwarding” is spelled “destination NAT” in RouterOS land.
If the FritzBox is acting as a full-featured router, then you’d need to do this port-forwarding there, but now you have two forks to the path. If the MT box is also acting as a router, then you likely have a double-NAT situation, which complicates all this. Or, you might be using the MT box as a smart L3 switch, which solves that, but then it isn’t a proper “router” any more.
Please clarify.
Is it best to configure 5 Bridges
No, never. Except when running on near-obsolete MT products you aren’t likely to be using, RouterOS supports one bridge per switch chip only. Configuring 2+ bridges is usually suboptimal since it forces RouterOS to run the bridge in software, on the device’s CPU. Five bridges — implying 4 on the CPU and one in hardware — is almost certain to constitute a design error.
containing always the WAN Port
A given port can be a member of only one bridge; another reason why “5 bridges” is almost certain to be the wrong thing.
I believe what you’re looking for instead is bridge VLAN filtering which allows a single bridge to enforce the boundaries between any number of VLANs.
using Lets Encrypt in that case only for router with own subdomain. Running behind a revers proxy to obtain and distribute the other certs.
FritzBox is acting as a full-featured router, double NAT with complete drop of IPv6. In that case i need to forward the ports twice.
once from WAN of Fritz.box → WAN of Mikrotik
WAN of Mikrotik → Reverse Proxy
The Idea behind is not to change the PrivateNetwork in case of changing the provider. Bad experiences in past especially with cable connections and bad update behaviour on access router.
Thanks a lot cause, i understood some of the basic configuration videos as that I’ll need to go such a way and i was a bit wondering already how be best configuration aproach is. But one of the links provided me how to deal with it correctly.
