pfsense firewall and mikrotik

fixfinest · September 14, 2013, 4:52pm

I wanna help for integrating pfsense firewall and mikrotik it’s toke 6 months ago with no hope

here is the idea behind that

i wanna use and prefer to use mikrotik as a hotspot and traffic shaper

and use pfsense as a cache server and web filtering but i wanna do it for each client as every client can set a costume web filter as if he asked for
so the network order i set it for :

ISP Router - Pfsense - Mikrotik - Clients

the problem am facing is ,as you know the filtering at the pfsense is applied for one IP that for Mikrotik’s WAN as pfsense acts as mikrotik’s gateway

my dream is to pass the traffic from mikrotik as client by client and route it to pfsense to show up on it as individual ips i can apply web filtering at each connection one by one

sorry for my poor English i tryed so hard to explain the situation

please help
thank u . hope good life and health to u

matole1991 · September 15, 2015, 5:40pm

hi i am using mikrotik for isp
but mikrotik cant support vlan concept.
so i have question can i use mikrotik hotspot in pfsense.
i want to use mikrotik as web server only for captive pages.

thankx in advanse

Feklar · September 15, 2015, 7:12pm

You will need to explain more of what you are looking to do, it’s not clear at all based on the information that you provided. It’s also better to start a new thread instead of posting to one that is more than 2 years old to avoid confusion.

1.) MikroTik supports VLANs just fine, but you have to answer how do you want to use them? MikroTik treats each VLAN as a separate routed layer 3 interface that can run it’s own services, like DHCP, Hotspot, have an IP address on it, and so on.
2.) You can use as many devices in line as you want to, as long as you understand how networks and routing work. So you need to explain what you are trying to achieve here. Yes the MikroTik can act just as a captive portal and then use the PFSense as it’s next hop on the way out to the internet. The MikroTik is still a router though and will route packets as it is designed to do.

matole1991 · September 16, 2015, 9:53am

actually we want to use vlan for our pop. every pop should be in different vlan and each pop is connected over fiber using l3 switches (sfp compatible). as per the image we want that each l3 i.e. the first switch at pop should be connected with mikrotik then the distribution should be done as per the vlan and clients should get ip from mikrotik dhcp created individually for each vlan. we tried from our side but the thing is directly connected l3 switch is communicating with mikrotik but other l3 switches are not connecting with mikrotik due to which client doesn’t get ip from mikrotik
we got ping from mikrotik to other l3 switches at pop but other pop not getting internet and trunk and access port of the switch doesn’t communicate.
our hardware list is

mikrotik routeros 6.31(pc version)
cisco 2950 l3
3.cisco 3750 l3
4.cisco sf300 l3
every switch is having fiber as well as ethernet port

Feklar · September 21, 2015, 6:22pm

matole1991:

actually we want to use vlan for our pop. every pop should be in different vlan and each pop is connected over fiber using l3 switches (sfp compatible). as per the image we want that each l3 i.e. the first switch at pop should be connected with mikrotik then the distribution should be done as per the vlan and clients should get ip from mikrotik dhcp created individually for each vlan. we tried from our side but the thing is directly connected l3 switch is communicating with mikrotik but other l3 switches are not connecting with mikrotik due to which client doesn’t get ip from mikrotik
we got ping from mikrotik to other l3 switches at pop but other pop not getting internet and trunk and access port of the switch doesn’t communicate.
our hardware list is

mikrotik routeros 6.31(pc version)

cisco 2950 l3
3.cisco 3750 l3
4.cisco sf300 l3
every switch is having fiber as well as ethernet port

Then chances are you do not have the switches configured properly for it to work like you are expecting or wanting. The MikroTik should have VLAN 10, 20, and 30 created on it’s LAN interface going to switch one. These VLANs should each have their own DHCP server, Subnet, and IP addresses. Each VLAN is it’s own routed interface, and so any traffic that leaves that “interface” will automatically be tagged with that VLAN. Also, in order for traffic to reach the right interface, it needs to leave the switch with the correct VLAN tag. The uplink port from location 1’s switch towards the MikroTik needs to be a trunk port with the appropriate VLANs assigned to it so that it will not only read the VLAN tags that come into it, but also not strip the VLAN tags that leave it.

How you choose to configure the switch is up to you. Having the uplink ports as trunks between all switches allows for some greater flexibility as you can then choose to have VLAN 20 exist at location 3 for example if the need ever came up to allow the LAN segment exist at several POPs. The easier configuration would be to set the uplink port between location 1 and 2 set to an access port of VLAN 20 at location 1. This way all incoming traffic from location 2 will be tagged for VLAN 20 by location 1, and the trunk port towards the MikroTik would preserve that VLAN tag. You wouldn’t need any specific VLAN configurations on location 2 or 3 then, as it would be all controlled by location 1.