After getting my first Mikrotik switches to work, I’m trying right now to replace my pfSense with an rb5009 router.
Right now the router can access the internet (updating RouterOS can be done), I do have two wan-ports that get their IPs by dhcp, a working bridge, the vlans and the dhcp-servers per vlan are doing their job.
What I do not know - and what I don’t find with Mr. Google - is how to have a dedicated gateway for each and every vlan.
I want to make sure that every vlan and all of its traffic can reach the internet only by a individual gateway/wan-port. There should be an individual dns-server for every vlan also.
a) vlans 10 and 40 → wan-port 1
b) vlan 20 → wan-port 2
and later with a wireguard vpn connection (Mullvad)
c) vlan-vpn → wireguard connection.
It seems that I don’t know what to search for or how to translate what I see on youtube or read to get it working for my setup.
Using pfSense I created the proper firewall-rules and doing the nat-translation. What is to do to have my rb5009 doing the trick?
This is an excellent source to review and once you have a config to show
/export file=anynameyouwish (minus router serial number and any public WANIP information.)
Either src-nat or masquerade is a one line entry per VLAN with the right LAN ip’s required to the desired WAN interface or Public IP.
The inside NAT VLAN IP’s should be different and are your DCHP server IP’s you are using in each VLAN.
I will have a look at the shown configs within this thread.
I do have my vlans set up within individual IP ranges. The vlan-interfaces do have their own IPs (e. g. 192.168.10.1/24) and I have the dhcp-server running at this vlan-interface. Each vlan is having its own dhcp-server with the vlan-interface-address being set as the dns-server and the gateway.
That what is missing is a rule to specify that each vlan-interface is using its individual gateway/wan-interface for every service etc.
You aren’t making sense the line you need is a NAT rule its that simple. FYI the traffic first comes out from the VLAN .. aka a computer inside the VLAN tries to connect to the internet. The internet doesn’t know or care about your VLANs until the traffic is NATed and sent via a public WAN IP.
So now look at your WAN IP’s if it’s static you can source NAT if it’s dynamic you will need to masquerade .. both determine how the traffic exits a VLAN and which WAN IP it ends on.
So for example you have DHCP1 = 192.168.10.1/24, DHCP2 = 192.168.11.1/24
case 1.) Your WAN IP is static (xxx.xxx.xxx.xxx) … so lets send DHCP1 server out that WAN IP
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.10.0/24 to-addresses=xxx.xxx.xxx.xxx
case 2.) Your WAN IP is dynamic so you only have an interface etherxx … so lets send DHCP2 server out that interface
/ip firewall nat
add action=masquerade chain=srcnat out-interface=etherxx src-address=192.168.11.0/24
All the rule is doing is taking a source IP range from the DHCP servers and NATing it to a public IP or Interface to get to the internet. You have multiple DHCP servers (IP ranges) and you want to go to different WANs so you need multiple NAT rules one for each DHCP server
/ip/firewall/filter> add chain=input action=accept in-interface=99-Mgmt out-interface-list=WAN-INet comment=“Allow 99-Mgmt to WAN”
failure: outgoing interface matching not possible in input and prerouting chains config.txt (3.79 KB)
That allows any IP in those 3 ranges to be NAT’ed to get internet access which is my understanding what you are trying to do.
What you are trying to do with VLAN99 is unclear because whatever you wanted to do with it was illegal and not in config.
You will need to explain what the management VLAN99 needs to do and why you want to mark it
Wrong approach ldb…
What the OP needs to do is state the requirement of traffic flow based on
a. identifying user(s)/device(s) and groups of users/devices including the admin
b. identify the traffic flows they should have/be able to accomplish.
Without any word of the config…
A network diagram helps provide contect for equipment being used, WAN connections intended physical or wifi, and subnets being used.
The problem is the OPs head is stuck in config speak, and the actual requirements are not clear.
Once understood, then and only then can a coherent config be cobbled together…
I do have created the attached pdf which should show what I would like to do. This should make clear that I do need a dedicated dns-server for every single one of the three wan-connections and that the traffic of vlan 10 should not leave by using ‘ether 3 - St - WAN’ etc.
It’s just about the router configuration. The switches of the LAN are up and running. Mikrotik.pdf (24.2 KB)
(1) Why would I bother commenting the config linked is missing the wireguard information, I dont work on snippets. Besides lacking in firewall rules AND ROUTES.
(2) Where is the sourcenat rule for outgoing information going out ether3…
(3) Why is ether2 sourcnat have the associated src-address attached ?? Routing and firewall rules determine where vlan99 traffic are allowed to go and get routed by…
(4) Can you be clear on your DNS plan.
In dhcp-server network you have vlan10 using vlan99 gateway, vlan20 and vlan30 using their own gateway and vlan99 uses its own gateway.
The router will be using a doh connection? So all the DNS will go through the DoH server, ???
Here is the scoop, makes two of us who dont get it, the diagram was a good start,
however you need to
a. identify all the user(s)/device(s) and groups of users/devices
b. what traffic they should be able to accomplish.
Do not use any config speak just actual users device and traffic required.
(1) I did not ask you to work for me and to give me a working config. All I asked for is how to set the gateway for a vlan if there is more than just one wan-interface. See (2) for why there is no vpn configured.
(2) I talked about the management-vlan and not about any other vlans. I deactivated all other vlans, just trying to get vlan 99 up and running as a first example.
(3) The ‘ether 2 - WAN’ is the interface for having internet-access for vlan 10 and vlan 99. As vlan 99 is the management-vlan it is separated. Both should use 9.9.9.9 and 1.1.1.1 as DNS-Server.
Vlan 30 should use the vpn-connection which will be using the ether 2 - WAN interface for connection to the vpn-server. The dns-server should be the one shown within the vpn-config-file given by the vpn-provider.
vlan 20 should use ether 3 - St - WAN as gateway and the ‘router 2 IP’ as its dns-server.
Again… How do I configure a special wan-interface to be used by a vlan as its gateway if there is more than one and how do I set a specific dns-server that should be used for every wan-connection.
I don’t know how to say it that much more clearly. There are always two sides, the one saying and the one listening… I’m thankful for every help but if this is the way you’re talking don’t take note of my posts in the future.
No, will not do. Users and devices etc. are not relevant for my question.
According to the traffic every traffic from the individual vlan. Not even a single bit should be allowed to use a different wan-connection.
Sorry its you that doesnt understand, didnt ask for your configuration BS. . All I asked for is how to set the gateway for a vlan if there is more than just one wan-interface.
I asked to explain what users and devices you had and what traffic requirements they had.
The network diagram shows what equipment and ISPs and subnets are involved.
Then a coherent plan and config can be devised.
Sorry, but the problem has nothing to do with gateways and vlans, its your inability to communicate requirements, for which the config is derived from.
Without knowing the context, its a waste of my time.
I came across this topic searching for guidance how to route some vlans to another wan.
What I wanted to add is that your last post does not deal to vlan local traffic, basically everything arriving in vlan in sent straight to WAN. Not ideal. The mangle rule should disregard local traffic by negating a destination list which contains local IP addresses.
again liviuu, providing a specific solution to a perceived problem may or may not be the right approach.
Perhaps in your case mangling is NOT required only routing rules!
Maybe the mangling and requirements can be met in more efficient ways etc…
Certainly all feasible and best done WITHIN context of the whole.
a. identify all the user(s)/device(s) OR groups of users and devices
b. identify all their traffic requirements…
SIMPLE and would capture the fact that
(i) vlanAB traffic that has to go out WANX
(ii) vlanAB traffic needs access to shared printer on vlan XY
(iii) Admin user needs access to VLANAB device .55
(iv) If WANX is not available VLAN AB and any other users utilizing WANX may or may not be moved to WANZ
(v) although vlanAB is to only use WANX, you want vlans CD,EF,GH to load balance outgoing traffic on WLANs X,Y.Z
Once one understand the entirety of requirements, any servers on the LANS, any router services being accessed, complete WAN failover description etc…
then and only then should one be barking out potential solutions and design the config.
Others may tend to jump in to ‘fix’ one aspect, but to do so without understanding the whole, is in many cases a waste of time - based on working on 1000s of posts.
I dont mind help when truth, facts, context are provided.