Hi everyone.
I’m new to Mikrotik world and network setup. I might use some weird terms, please bear with me.
I have a network as you can see in the diagram. Bridge mode ONU is DHCP and WLAN disabled. I want RB750GR3 to be PPPoE and DHCP server. I can connect ONU with 750GR3 successfully. According to the rest of my equipments, I am just wondering that what setup should I use with ether 2-5? Should they be bridged together? Should I do Master/Slave (ether2 as master, the rest are slaves)? or Should I configure them seperately with each has different subnet? Which way is the best approach in this case? And How to set them up?
Please advice. Thank you in advance.
It all depends on what you’re doing on the LAN side of the router.
It’s good that you’ve posted a drawing, but unfortunately, the drawing doesn’t purvey any information about your logical topology - do you want separate VLANs for different purposes?
Will the switch be performing VLAN trunking or is it just a flat unmanaged switch?
Are the WAPs going to be just WAPs, or are they going to be wireless routers?
You mention PPPoE on the inside, but don’t give any additional information about it…
In general, you want a separate layer2 broadcast domain for each unique “policy area” of your network.
i.e. a different VLAN for pppoe, for trusted hosts/devices, for guest devices, etc…
Talk about the types of internal network segments you intend to deploy (in general terms, no need for specifics about interfaces just yet)
If this is all just your home network, then I recommend that you make it one flat network, and use HW-switching between the ethernet interfaces 2-5 for maximum performance and minimum hassle.
The best approach is the approach that matches your expectations.
Are you talking about a flat layer2 network (all devices in one network, no particular restrictions in the network?, all clients can see and talk to each other?) If so, set ether 3-4 as slaves of ether2. Add ether2 to your bridge and you’re done.
If you need or want segmentation, keep ports individual and configure them according to your needs. Once that is working, configure your firewall to block inter-network traffic as needed.
In case you’re starting with the default config, make sure your firewall rules match your PPPoE-out interface, default is ether1.
-Chris
Thanks for reply.
I just want this as one whole network as plain as possible. All clients can see and talk to each other.
WLAN and DHCP is disabled on ONU.
Mikortik is doing PPPoE dial out and all the DHCP stuff.
APs serve as simple WAP, no route, no DHCP.
Switch is an unmanaged.
No VLAN or any restrictions whatsoever.
Best approach in my idea is easy to setup and maintain and yet maximum performance.
In that case, this is my recommendation for you:
Pretty much the out-of-the-box configuration is all you need. Since you mention PPPoE as your WAN’s connection type, the main thing to go double check is your firewall rule settings.
Out of the box, they refer to ether1 as the WAN interface. If you set up a PPPoE interface, this is NOT ether1 from the firewall’s perspective (even if it connects via ether1 - ether1 is not an IP interface - it just carrys the PPPoE data). This means that you need to modify your firewall’s filter rules so that anywhere you see ether1, change it to pppoe1 instead.
The most common problem for new users is that they enable PPPoE, notice that it’s not working immediately, and soon they discover that the NAT rule needs to refer to pppoe1. They fix this, and everything starts working, and so they feel they’re finished, but they forgot to fix the filter rules. This leaves their WAN unprotected, and the most common thing that happens is that their routers get scanned and discovered as open DNS relays. Eventually, some botnets out in the wild will use these unprotected routers as amplifiers in their DDoS attacks, which leads these users to come to the forums here asking why they see high CPU % and 100% of their upstream bandwidth consumed…
So in short - go through your IP > Firewall > Filters chains and make sure that any rule referencing in-interface=ether1-gateway (or out-interface=ether1-gateway) is updated to refer to pppoe1 instead.