New Hex, need help.

MrTiny · September 5, 2015, 6:53pm

I just recently picked up a (HEX) RB750Gr2 to replace a Cisco SMB router that recently died. Being new to ROS, I’m trying to work with the webfig, but may switch to winbox or telnet and am looking for a little help. I know what I want to do, but am not familiar with ROS at all to make things work. Maybe I just need to find the right tutorial.

I’m looking to set it up this way.

Interface 1 - WAN
Interface 2 - Gateway for VLAN 1
Interface 3 - Gateway for VLAN 2
Interface 4 - Gateway for VLAN 3
Interface 5 - Port for access to VLAN 2

VLAN 1 (int 2) needs access to VLAN 2 and the WAN, no access to VLAN 3
VLAN 2 (int 3 & 5) needs access to VLAN 1 only, no access to WAN or VLAN 3
VLAN 3 (int 4) needs access to the WAN only, no access to VLAN’s 1 & 2

I would like configuration access to the RB750Gr2 to be on the interface 3 IP only, making it available to VLANs 1 & 2 only.

Interface 1 (WAN) will plug into a Cable modem. Interfaces 2-4 will plug into a VLAN aware Cisco SMB switch. Interface 5 will be left unplugged for direct physical access to the router.

I was going to connect all ports as access ports to the Cisco switch and just route everything on the RB750Gr2 without involving the VLANs, but read I might get better performance if I used interfaces 2,3 & 5 as a switch and used VLAN bridging on the RB750Gr2 between them. If this is the way to do it, then VLAN 2 will be the PVID and interface 2 is the master port.

So now for the questions. How do I route between the interfaces? LAN to WAN, WAN to LAN & LAN to LAN (or VLAN Bridged)? Is VLAN bridging ideal between interfaces 2,3 & 5? How do I restrict access to the routers configuration interfaces to a single IP?

Thanks in advance for the help.

MrTiny · September 28, 2015, 9:42pm

I think I got it the way I wanted it, thanks to the information at http://gregsowell.com/?page_id=951. I didn’t use vlan’s on the router to keep it simple, but they are on the smb switch these interfaces are connected to. I don’t know that interfaces 2,3 & 5 are using the switching chip, but I’d still like them to as my switch doesn’t offer layer 3 switching. I wouldn’t mind some advice to optimize and secure this MikroTik. Here’s the config if anyone has anything to offer. Thanks.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=Home ranges=10.3.3.5-10.3.3.30
add name=Guest ranges=192.168.3.2-192.168.3.6
/ip dhcp-server
add address-pool=Guest disabled=no interface=ether3-slave-local lease-time=1d \
    name="Guest Network"
add address-pool=Home disabled=no interface=ether2-master-local lease-time=4d \
    name="Home Network"
/ip address
add address=10.3.3.1/27 comment="Home PC's" interface=ether2-master-local \
    network=10.3.3.0
add address=172.30.3.1/29 comment="Network Devices" interface=\
    ether3-slave-local network=172.30.3.0
add address=192.168.3.1/29 comment="Guest Network" interface=\
    ether4-slave-local network=192.168.3.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=10.3.3.0/27 comment="Home Network" dns-server=\
    208.67.220.220,208.67.222.222 gateway=10.3.3.1 netmask=27
add address=192.168.3.0/29 comment="Guest Network" dns-server=\
    208.67.222.222,208.67.220.220 gateway=192.168.3.1 netmask=29
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.3.3.1 name=router
/ip firewall filter
add action=drop chain=input comment="Guest cannot access MikroTik" \
    src-address=192.168.3.0/29
add action=drop chain=forward comment="Guest cannot access Devices network" \
    dst-address=172.30.3.0/29 src-address=192.168.3.0/29
add action=drop chain=forward comment="Guest cannot access Home network" \
    dst-address=10.3.3.0/27 src-address=192.168.3.0/29
add action=drop chain=input comment="No MikroTik access to 192 interface" \
    dst-address=192.168.3.1
add action=drop chain=input comment="No MikroTik access 10 network" \
    dst-address=10.3.3.1
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=input comment="Drop incoming pings - Internet side" \
    in-interface=ether1-gateway protocol=icmp
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=Home dst-address=0.0.0.0/0 \
    out-interface=ether1-gateway src-address=10.3.3.0/27
add action=masquerade chain=srcnat comment=Guest dst-address=0.0.0.0/0 \
    out-interface=ether1-gateway src-address=192.168.3.0/29
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Phoenix
/system ntp client
set enabled=yes primary-ntp=4.53.160.75 server-dns-names=8.8.8.8
/system package update
set channel=current
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
/tool romon port
add