Please help a total noob. Basic config.

RouterOS Beginner Basics
1

Hi All,

I am brand new to the world of Mikrotek and a first time user of the routerboard product, specifically the model RB2011Ui AS-IN. I have followed a few basic set up tutorials and guides but cannot seem to get the device to work properly.

Interfaces labelled as follows: ETH1 = WAN and ETH2 = LAN

All I am trying to do is set it up so that my internet connection coming from the ISP connects to ETH1 (WAN) and be accessible through ETH2(LAN).

DHCP Client has been configured on ETH1 and it has gotten an ip address subnet mask etc from the ISP. A DHCP server with a default pool has been created and ETH2(LAN) has been assigned to it however this is now red. What other steps do I need to do to get to the internet from the LAN? Any routes, firewall rules etc that I need to configure.

Thanks in advance,

Mike

2

Hello, do you have a bridge for your internal network? Whih interface has been assigned for your LAN? /ip address

In your DHCP client, do you have a default route?

3

If it’s red then it’s not set up properly. If there’s a LAN bridge the use that as the LAN interface. The physical interfaces just become ports for the bridge, so you can’t assign IPs to them directly.

It could also be that the IP settings of the DHCP server don’t match the IP of the interface itself.

4

Hi,

There is no bridge set up. Should I configure it? Which ports should I assign to it? How complex is it to set up a bridge?

“In your DHCP client, do you have a default route?” Where do I set this up?

Sorry if I seem completely lost, I probably am but I am determined to get this set up properly granted I can get a little guidance from the pro’s.

To put it simply I want the WAN connected to ETH 1 and my LAN connected to ETH 2. The WAN side will get it’s IP address, subnet mask, gateway from the ISP and therefore it should be set to DHCP Client, correct? What else should I configure on the WAN side.

Then, The LAN side (ETH2) should run a DHCP Server with it’s own pool. Are there other items to configure like default routes on this side or not?

Mike.

5

The 2011 has two switch chips in it - switch1 controls the gigabit ports (sfp1, ether1-5) and switch2 controls the 10/100 ethernet ports (ether6-ether10)

The usual way to set up a 2011 is to use hardware switching within the two switch groups, and creating a bridge that connects the two switches’ master ports, as well as the WiFi.
Go into ethernet interfaces configuration and…
set master-port=none on ether1, ether2, ether6
set master-port=ether2 on ether3-5
set master-port=ether6 on ether7-10
Create a new bridge interface, and call it something obvious like LAN
Go into the ports tab and add interfaces ether2, ether6, and wlan1 to the LAN bridge.

The IP address you previously have on ether2, move it to the bridge interface.
Go through your NAT / Filter rules in the firewall and update any rules that refer to ether2 - change it to LAN for every place you find “ether2”

The easiest way to set up DHCP is to use the built-in “wizard” button in Winbox (It’s called DHCP Setup) - before running it, though, you should have the IP address configured on the interface, and have DNS configured in the system, so that the DHCP setup wizard will use these values to set everything up.

There are 3 basic components to a working DHCP server configuration in ROS:

  • IP Pool (this is simply the list of actual IP addresses available for assignment, and it tracks which are used/available)
  • Network (this is the “scope” if you’re used to other DHCP servers - it’s where the options are configured, such as default GW, DNS server, etc)
  • DHCP Server - this is the DHCP process itself, and this is where things are configured such as which interface to listen on, etc.

If you want to start over from scratch with the DHCP service, just remove your DHCP server, the Network, and the IP pool and then run the Setup wizard. In your case, you’ll want to use the LAN interface in your settings.


Once done with all of this, every interface is a LAN port - plug into any of them and you’re on the LAN. (obviously, this isn’t true for ether1 and sfp1)

6

Now we are getting somewhere… this makes a lot of sense. I think maybe I left out a crucial piece of information. The network range on the WAN side is the same as what I need to use on the LAN side. iow the wan port received an ip of 192.168.1.61 from the ISP(3rd party router)

On my LAN side I need to use the same network range. Surely the fact that they are on different side of the router so to speak it should be possible. I’m just not too sure about the routes, NAT etc.

Thanks in advance,

Mike

7

Use different non overlapping networks on both sides of the router.

8

Definitely not.

Consider that your router is examining a packet whose destination IP address is 192.168.1.77
WHICH 192.168.1.77 does this refer to? There’s no information in the packet that can say that.

9

It’s not actually the same subnets being the main problem, it’s DHCP on WAN, because it might be a little unpredictable. You don’t really care about whole /24 (most likely) on WAN, only about ISP’s gateway and the address you get from DHCP. You can’t use those two on your LAN, but anything else is fine, nobody (purists excluded) cares if it overlaps. If you could be sure that both these addresses are static (ISP does not change gateway address and there’s DHCP reservation for your address), then it’s probably doable (it works, I tested it, but not extensively).

Lets start with WAN config:

/ip dhcp-client
add interface=ether1-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan

Assume the gateway is 192.168.1.1 and DHCP gives you 192.168.1.61, those can’t be used in LAN, some other address is needed there (note the mask):

/ip address
add address=192.168.1.254/32 interface=ether3-lan

Add standard DHCP server:

/ip pool
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.150
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether3-lan name=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254

And finally fix the routing:

/ip route
add dst-address=192.168.1.0/24 gateway=ether3-lan routing-mark=my-lan
/ip route rule
add action=lookup-only-in-table dst-address=192.168.1.1/32 table=main
add action=lookup-only-in-table dst-address=192.168.1.0/24 table=my-lan
/ip arp
add address=192.168.1.1 interface=ether3-lan published=yes

As I wrote, everything seems to work fine here. But remember, it’s more hack than a proper solution. The main problem remains to be DHCP on WAN. If it’s really dynamic and can hand out any address from /24, it’s just a matter of time before it conflicts with same address on LAN. So once more: don’t do it. And for the record, in my defense, it sounded like fun thing to try. :wink:

10

Hi!

Sorry to revive an old thread, but last part leave me wondering…

Why?
I’ve ran QuickSet on a clean router and I’ve tried to match your lines with the given configuration. I don’t get any of this last lines. Why is it necessary, or recommended?

11

Please don’t take it a wrong way, but if you’re using QuickSet, you probably shouldn’t try to use this config. :wink: It’s not proper way to do it, it’s a dirty hack. It’s fun to play with, but not that much for serious use. Change the LAN subnet and save yourself future troubles.

But to answer your question…

The problem is that there’s same subnet on two interfaces and that’s generally wrong, because as was already explained, if router gets packet for 192.168.1.x, it doesn’t know where to send it, destination might be on one interface or the other, and it can’t be sent to both. So if you’d want to have all addresses from this subnet accessible on both interfaces, it’s impossible. But if you know that you don’t need all addresses, it’s possible to do something. In this case there’s 192.168.1.1 (default gateway) reachable on WAN, and 192.168.1.x directly on router’s WAN interface. If you don’t use them in LAN, it can work.

This is alternative routing table, which tells router that subnet is on LAN interface:

/ip route
add dst-address=192.168.1.0/24 gateway=ether3-lan routing-mark=my-lan

Main routing table will have this subnet on WAN.

These are hints for routing, 192.168.1.1 will use main routing table (so it will be found on WAN) and the rest of subnet will use the other one, to go to LAN:

/ip route rule
add action=lookup-only-in-table dst-address=192.168.1.1/32 table=main
add action=lookup-only-in-table dst-address=192.168.1.0/24 table=my-lan

And this is proxy ARP config, to make 192.168.1.1 accessible from LAN:

/ip arp
add address=192.168.1.1 interface=ether3-lan published=yes
12

Yes! Right! I didn’t think about it thoroughly. It’s related to the “same network range” problem this guy has. Sorry for the stupid question… :confused:

I see clearly now! Thanks for your description!